Policy | Security | Investigation

police investigation

August 22, 2011

What happens when police seize servers belonging to a cloud computing service provider?

Spring 2009, a federal district court granted the FBI a search warrant to seize control of computer servers and related equipment in facilities run by Core IP Networks. Apparently Core leased its facilities to the owners of servers, including a cloud computing service provider named Liquid Motors. Liquid Motors was not accused of wrongdoing, but the FBI had information suggesting that a criminal enterprise (including apparently Core) had used LM’s servers or some of the data stored in them.

LM helps large, national auto dealers manage their inventory and Internet marketing. The seizure shut LM down, and debilitated the operations of its innocent customers. The data of all LM users and customers were co-mingled in a cloud-computing style.

Request Relief from Court

LM promptly requested that the court cause the FBI to release the servers. It claimed that it and its innocent customers were suffering great economic hard.

The court denied the request. The court was satisfied that the FBI had adequate justification to hold the servers.

Court Appearance Gives FBI Sense of Urgency

However, the court hearing put FBI under the spotlight. FBI did not want to appear unreasonable in court. Recognizing the economic impact of its action, the FBI said it was working urgently (over a weekend) to copy data from the hard drives of the servers, with a view to returning the servers to LM as quickly as possible. Liquid Motors, Inc. v. Lynd, No. 3:09-cv-0611-N (N.D. Tex. April 3, 2009).

As cloud computing becomes more common, I suspect courts will come to expect police like FBI to refine their methods so that targeted data can be secured without damaging all the innocent people whose data and services are coincidently housed with it. Refined methods might include, for example, allowing servers to continue functioning normally while target records are copied.

Backup Data

The customers of cloud services face more than just the risk that police will confiscate a provider's servers. The provider may go into bankruptcy or suffer sabotage at the hands of a disgruntled employee. To address these risks, customers might spread or duplicate their data and services across multiple service providers, located in multiple jurisdictions.

Update: The risk that police raids will damage innocent cloud customers needs to be seen in context. Similar risk applies in many sectors of the economy. It is not uncommon that the seizure of assets by police affects innocent bystanders. For example, FBI confiscated $392,000 of cash belonging to an innocent New York check-cashing company when it seized assets from an armored car company under investigation. John Emshwiller and Gary Fields, "Federal Asset Seizures Rise, Netting Innocent with Guilty," Wall Street Journal, August 22, 2011.

July 28, 2011

When the FBI raided DigitalOne, a co-location data center, in search of data belonging to criminals, it also disrupted innocent businesses. One of those was Instapaper. Services for Instapaper were offline for most of a day. The services unexpectedly stopped, and then resumed many hours later.

Whether the disruption was unavoidable is unclear. The FBI did not explain how the raid transpired. DigitalOne suggested that the FBI was clumsy, taking a whole enclosure of servers, rather than the particular servers that were the focus of its raid.

Some in the technical community have criticized the FBI for not knowing the difference between an enclosure and a server.

I don’t know whether the FBI was in fact clumsy. The full story is probably complicated.

Problem Will Be More Common

This not the first time that a well-meaning FBI raid of a contract data center caused disruption to innocent businesses housed at the center. A company named Liquid Motors complained in court when an FBI data center raid damaged its business, which was not connected with the criminal activity that precipitated the raid.

Disruptions like this threaten to grow more common. Co-location, cloud computing and other IT outsourcing are on the rise. FBI and other law enforcement need to refine their methods of investigation. When they must raid a data center that serves multiple clients, they should not cause more harm than good.

What FBI Should Do

Yes, FBI needs to shut down cyber criminals and collect evidence so they can be prosecuted. But FBI undermines the community’s trust when it damages innocent bystanders.

Before executing a raid, FBI should evaluate whether its mission truly requires it to seize hardware and take it offline. It should develop techniques for surgically getting what it needs, while avoiding disruption of anything else.

FBI further should strive for transparency and accountability. It should vow to the community to disclose as much as it can, as soon as it can, about what it is doing and how. It should explain which servers it is impacting, in what way and for what reason.

I realize that explanation to the public is time-consuming work. And explanation can lead to second-guessing and criticism. But explanation is necessary to ensure that FBI is constantly refining its methods and learning from any mistakes it makes. Explanation also promotes FBI’s stature within the technical community.

April 22, 2011

The collection of cloud evidence vexes investigators, whether they be police, auditors or consumer watchdogs. As more and more social and commercial interactions occur in the Internet cloud, new methods are needed for proving what happened.

Traditional Forensics Methods Usually Don't Apply in the Cloud

Traditional digital forensics emphasizes an investigator gaining access to data stored on a computer, such as in a hard drive, where records show what happened through the computer (web surfing, email writing). Yet our digital lives are becoming centered less in our computers and more in the cloud, where we mingle by way of numerous, increasingly mobile, disposable, interchangeable devices. An investigator may never get access to the relevant user or service provider device(s), even though he can witness a live online event by connecting to it through his own computer.

Online content is ephemeral. A Facebook Wall can show one thing now and something different a minute later. A chat session or an online game can transpire in a flash. How should a professional investigator record the activity on a FB Wall or in a chat session?

Screenshots Miss a Lot of Detail

Granted, the investigator can take a screenshot or make a log file of activity, but such a record can be sketchy.

Screencast Video Captures Detail and Interaction

A better record would capture a stream of all the text, images, motion and sounds in a online activity – what’s known as a screencast.

Still, a record is like a rumor. It’s worthless unless a credible witness can explain and vouch for it.

So I propose a recording that unites a screencast with compelling, eyewitness testimony. It’s a split-screen video record simultaneously showing what an investigator sees and his real-time narration of events. Let me demonstrate:

The video depicts an investigator memorializing what he sees in a live interaction with another party, in this case a thief hawking stolen product plans. It shows him explaining through his webcam as he chats, clicks and observes. He reads directly into his video report his identity, his purpose, and his authorization. At the end he takes responsibility by formally signing and vouching for his record, in a way that would appeal to a skeptical audience, such as a jury, a judge, a journalist or a panel of lawmakers.

The rich detail captured in the video facilitates later review of the investigator’s work by a third party.

Compare Log File

In the video, the exchange with the thief occurs through Windows Live Messenger, which does allow for creation of this activity log.

But notice the log misses much of the action. It shows no images or mouse movements. It completely ignores Scooter Montgomery’s dramatic visual display of the stolen document.

Problem Investigations

Is a better way to record online investigations really needed? Have online investigations ever been discredited due to poor records? Yes.

In one series of cases, the Recording Industry Association of America hired MediaSentry to find copyright infringers sharing music on peer-to-peer networks. MediaSentry said it identified some infringers and produced logs and screenshots as evidence. But an expert criticized the credibility of MediaSentry’s evidence in court, and a leading critic sounded authoritative when the Wall Street Journal quoted him calling MediaSentry’s evidence collection “sloppy.” RIAA terminated its relationship with MediaSentry.

In another case, the district attorney for Collin County, Texas, dropped charges against alleged pedophiles on account of weak evidence of online activity. Investigators for a public-interest group named Perverted Justice claimed to have engaged the suspects in incriminating chat sessions, but police lacked confidence in the trustworthiness of the logs Perverted Justice produced to show what happened in the sessions.

The split-screen video demonstrated above compiles a more complete and credible record.

Update: Here's another application of the split-screen record. The operator of a surveillance camera could narrate and authenticate, in real-time, what she sees by way of the camera. The camera might be mounted on a building. Or it might be on a police or military drone.

July 08, 2009

Computers change how police investigations work. Take a traffic citation, for example. In the past, for a police officer to issue a traffic ticket, the officer had to be present at the scene and had to talk to the motorist face-to-face. At an emotional level – as well as an administrative one -- the police officer was deterred from issuing tickets for minor, technical violations of traffic laws.

For example, if an officer observed a motorist not quite clear an intersection before the traffic light turned red, the officer might think twice before chasing the motorist down and issuing a citation. To pursue the motorist takes time away from other duties. Then, the motorist may argue the officer’s observation was wrong. Further, the motorist may confront the officer as a human. The motorist may say by words, body language or the expression on his face, “you are a jerk for issuing me this frivolous ticket.” Police officers don’t like being told (even politely and subtly) that they are hyper-technical jerks.

Digital technology changes this legal proceeding. A red light camera at an intersection transmits electronic records to a police officer (detective) who is not standing on the street, but seated in a comfortable office. The records provide evidence that is more fixed than mere memory. The officer can review the digital evidence in no time and issue the citation with the click of a button. For the officer, the legal investigation and decision are like playing a dull, unemotional video game. The officer may issue many more citations than in the past.

Automated traffic cameras can make a motorist angry. The motorist loses the ability to discuss the situation with the investigating officer at the scene, where the motorist might talk about the danger of slamming on the brakes when a light changes. With computer enforcement, the motorist just gets a bland notice in the mail with a photograph and possibly web access to a computer video of the event.

Jim Ash, a citizen of College Station, Texas, feels that the dehumanization of law enforcement is an infringement of privacy, a civil right. In our electronic age, privacy is an ill-defined notion, but it resonates with people in a democracy.

Mr. Ash is leading a grass-roots voter referendum [see Footnote] to ban red-light cameras in College Station. He is exploiting the power that modern technology affords individuals – a web site and numerous freedom of information act (FOIA) requests for discovery of voluminous electronic records (including email) maintained by the City of College Station and other local governments in Texas. He says he has uncovered an email from the mayor acknowledging that red light cameras will cause more rear-end collisions, while possibly reducing other collisions. (Most mayors would prefer that their email be withheld from political activists like Ash.)

Ash has collected about 1000 verified signatures from College Station voters, enough to cause the referendum to appear on a forthcoming ballot. He plans to deliver the signatures to City Hall management in a rally scheduled for around Noon, July 16, 2009.

Ash is promoting the rally with radio commercials playing in College Station. Following are two MP3s of the commercials.

Update: The College Station City Secretary has confirmed that Ash and his team collected and delivered more than enough signatures to place the red light issue on the ballot for the next election. Ash has formed a political action committee named Take Back Your City.

Update November 4, 2009: According to the local TV station, the voters of College Station, Texas, voted to approve the petition initiative against red light cameras.

Update: This photo shows workers deactivating the red light cameras in College Station, November 24, 2009:

–Benjamin Wright

Mr. Wright delivers training on cyber defense law and ethics under the SANS Institute.

Footnote: When I originally wrote about Jim Ash's voters' effort in College Station, I called it a "referendum," not having researched or thought about the technical difference between a referendum and a petition initiative under the city's charter or under the Texas law of municipalities. I have since learned that the effort is a "petition initiative," not a referendum.

June 23, 2009

For responsible parties like corporations and government agencies, a reason to retain all their e-mail, text and instant message records is to refute forgeries of e-records. Thorough email archives (including each attachment) provide forensic evidence to invalidate false claims.

Just ask Australia’s prime minister, Kevin Rudd. His political opponents tried to embarrass him with an electronic mail record purportedly from his senior advisor Andrew Charlton. The e-mail appeared to show corruption; it appeared to show Rudd’s government conferring a business advantage to Rudd’s friend John Grant.

But fortunately for the government, it retained its own e-mail records for the time in question. An investigation revealed that the scandalous e-mail was a forgery!

The investigation proceeded in two steps. First it examined the alleged sender’s digital records. “Searches by the Department of Prime Minister and Cabinet and Treasury of Dr Charlton's computer and the system of the public service had found nothing. ‘There have been exhaustive searches conducted on Dr Charlton's computer email system and no such correspondence can be found,’ Mr Rudd said.”

Second, the Australian Federal Police (equivalent to FBI) conducted a forensic analysis of two computers used by the purported receiver of the e-mail. "Preliminary results of those forensic examinations indicate that the email referred to at the centre of this investigation has been created by a person or persons other than the purported author of the email," said the AFP.

This revelation of course played to the Prime Minister’s distinct advantage. He could show that his adversaries had based their attack on misrepresented facts.

The Strategy Lesson: Unless you are a criminal, your e-records are your friend. Had the government been destroying its records quickly, it would not have been so capable of exposing this fraud.

–Benjamin Wright

Mr. Wright is an advisor to Messaging Architects, thought leader on ESI investigations.

IT Administrators

Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

E-mail Mr. Wright

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.